Innovation in Information Security

Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg

Microsoft released two out-of-cycle security updates, MS09-034 and MS09-035, earlier this week to address a set of vulnerabilities affecting Internet Explorer and Visual Studio (MS09-034 and MS09-035 respectively).

Interestingly, the non-standard patch release isn't a result of attacks already taking place, rather it is to enhance the protections already provided by MS09-032, which did address the known attacks against the ATL (Active Template Library) weaknesses patched across all three patches.

So why release the patches if there is nothing going on to target the particular vulnerabilities, why not wait until the next scheduled monthly release? According to the Security Research & Defense blog, the patch release is because "additional information regarding these vulnerabilities has been growing over the past few weeks.". With Black Hat and DefCon taking place before the next scheduled patch release, it is probable that discussion of the vulnerabilities would take place and new attacks emerge post-conferences.

While both the Visual Studio and Internet Explorer updates are related, based on the ATL weaknesses, the Internet Explorer update also incorporates other fixes, which it would not be prudent waiting until the next scheduled update for. Why is it important to apply the patches as soon as possible? One particular aspect of the addressed vulnerabilities would allow an attacker to bypass the killbit check and effectively run disabled ActiveX controls in Internet Explorer. This would open the floodgates for many historical vulnerabilities and attacks to become valid again. The Internet Explorer update is designed to block the known attack routes and time will tell if Microsoft has been successful in arresting all the methods available to target the vulnerabilities.

The extended problem that is now faced is the unknown number of ActiveX controls that have been compiled and built using the vulnerable version of ATL (which the Visual Studio update replaces). Microsoft have announced their willingness to incorporate killbits for vulnerable controls in future security updates, so all developers need to do is contact Microsoft.

With the vulnerable libraries being available for 12 years, the scope of the potential problems facing end users is immense, hence the urgency to apply the Internet Explorer patch as a matter of priority.